Avoiding Hyperbole

Yes.  I heard about Target.

It happens every time.  Something big happens.  The news outlets turn on the bullhorn.  Affected constituents (customers) drive the furor.  Punditry on the event and effects.

Someone asks me about it on our group ride, expecting a reaction in line with what they've seen in the news.  Hyperbole, exaggeration, sky-is-falling.

(Heartbleed was probably a rare understatement of the risks.)

As an information security professional, I seize these moments to drive attention to the risks every company has when it dabbles in technology.  These moments provide a unique opportunity to add a little more darkness, a little more creaking wood and whistling wind to resident fears.

"Could it happen to us?"  Yes.  (Intellectually inaccurate, but too deep for the moment.)

"What should we do about it?"  I'm glad you asked.

This is where the conversation would typically flow toward talking about dollars, gee-wiz technologies with brilliantly flashing LEDs, all resulting in the constant whirr of user hard drives, CPUs sweating as cooling fans desperately try to overcome the heat of constant workload.

But that's not where this conversation goes.  Yes, I need money for my security program.  Everyone does.  I have another avenue I need to pursue first.

Security in our technological environment is like controlling a swimming pool.  We work very hard to maintain it, but we're constantly struggling with algae, PH levels, crap dropping from trees or deposited by wind.  Let alone the people who use it; they're the worst thing that a pool could ever experience.  Sweaty, suntan-lotion covered, beer (margarita!) drinking, swimmy-wearing people.

We put up fences to keep undesirable people out.  We have water surface alarms to warn us when the kid, the dog, (or a stranger) tries to take a dip without our knowledge.  We even have heaters and coolers.  Or wondrous, LED-filled technologies; automated pool management systems that keep water temperature just so, keep PH in range, automatically turn on lights; it even alerts me when anything is out of line.

Of course, if I can't do the fundamentals, if I can't keep water levels up, if I can't keep the chlorine basket filled, if I can't consistently empty the filter, I'll eventually turn off the pool automation alerts.

Sound familiar?

I want consistency in controls.  I control where the refill water comes from, the same way every time.  I control who can use my pool, and what they have to do before entering.  And, no, there's just no peeing in my pool.  Even in the shallow end.

Security is like that swimming pool.  Simply put, your pool is only as good as the worst part of it.  Try leaving a section of algae in your pool next time, see how that works for you.

Verizon has great charts describing how breaches occur, and those datapoints are incredibly important.  Knowing where the vulnerability manifests, critically important.  Just don't turn them into a game of whack-a-mole.

The real lesson from Target is that controls must be consistent in order to be effective.  Leave aside all the discussion about ignored warnings, missed opportunities; ask yourself these questions:

Why was a critical, protected infrastructure accessible from common, low(er) security networks?

Why was a third party, any third party, connected into a company network without documentation; worse, lacking separation from general corporate systems, let alone critical infrastructure?

What are the core security competencies, the core controls in alignment with business risk necessary to protect the operations of the company?

And, root cause for Target: Why wasn't there a single point of authority over all information security to serve as the foundation for application of standards and compliance?

Target's CEO's departure is the final nail, and with due respect a righteous kill.  Management never had intent to implement solid security controls, and such never named an individual to have ultimate responsibility for those controls.

There's my message.  No, Target can't happen here.  you, Mr(s). Executive, express management intent to maintain security - which is why I'm here.  I intend, first and foremost, to be solid in the basics; to do the basics consistently flawlessly.  Your intent to support that mission is imperative.  We'll talk more when, with your support, I've driven the risk out of the fundamentals.

And, yes, I'll need money to do it.  We need to know there isn't a peeing section in our pool.